Software Integrity Blog

Triage open source vulnerabilities in Coverity Connect

We’ve listened to customer needs and pain points: Developers need a way to triage open source vulnerabilities within the application security tools they’re already using. That’s why we’ve established best practices and a secure development workflow integrating Black Duck Binary Analysis and Coverity Connect.

The risk of open source and third-party code

In today’s fast-paced world with rapid technological advancements, few people need any introduction to the dangers of security vulnerabilities lurking in open source and third-party code.

Open source software has come a long way from being a techno-hippie dream in the late ’80s. Today, it exists nearly everywhere and is a pervasive component of all current major technological innovation. We find open source software components in our Linux operating systems, Apache web servers, Android mobile environments, and Hadoop big data frameworks, among others. Consequently, many companies, both enterprises and startups alike, must figure out ways to incorporate more open source modules into their proprietary code—or at the very least, expose capabilities in their software to interact with open source code.

But this transition toward the widespread use of open source code has not been without risks, and we don’t have to look far to understand that. In September 2017, Equifax, a major consumer credit reporting agency and a Fortune 100 firm, was hacked by cyber criminals. Its data was compromised owing to a flaw in the open source software the company used, leading to severe financial repercussions for the company and loss of consumer trust.

Manage your risk when using open source code

In light of such imposing threats, companies are scrambling for approaches to better manage and use their open source and third-party code more securely. Synopsys has been helping companies manage risk and legal compliance with Black Duck Binary Analysis, an advanced automated software composition analysis tool. Black Duck Binary Analysis continually monitors and updates the ability to detect newer security vulnerabilities and license definitions for open source software. Organizations can also gain substantial efficiency by taking a two-pronged approach:

Developers triage first. Developers are intimate with the code and possible attack surface vectors for software in development. Give them visibility into security vulnerabilities in third-party code, and the ability to actively triage code defects, as the first line of defense.

Centralized workflow. Establish a centralized workflow where both IT security teams and software development groups/organizations have visibility into identified security vulnerabilities. This secure development workflow allows them to adopt third-party code selectively and establish appropriate best practices and security policies.

Triage open source vulnerabilities in Coverity Connect

Coverity is a comprehensive static application security testing (SAST) platform that finds critical defects and security weaknesses in code before they become vulnerabilities or crashes, or degrade the overall quality of your software.

After listening to our customers’ needs and pain points, Synopsys has established a set of best practices and a secure development workflow that integrates Black Duck Binary Analysis and Coverity Connect. Black Duck Binary Analysis identifies the open source security vulnerabilities, and the Coverity Connect interface is used to triage them. This approach makes it possible to customize triaging for specific software group needs, set up charts, track vulnerability trends, and establish a baseline to manage and triage open source security vulnerabilities.

For groups who have already deployed the Coverity platform, the integration will be able to leverage an existing software development life cycle (SDLC) workflow around Coverity, saving time and cost. There’s no need for additional resources to design and set up a new workflow. In addition, team and company supervisors can simplify code complexity by using a common interface to monitor all security-related defects requiring developer attention. This ability is especially useful when open source code is spread across many applications and engineering divisions.

Results and impact of a secure development workflow

The Black Duck Binary Analysis / Coverity Connect integration is facilitated by Python scripts. Additionally, it can be deployed as a plug-and-play feature within any operating environment that supports Coverity Analysis. You can configure the integration results via the Coverity Connect interface, and you can also layer on custom features. For example, you can organize results with CVSS ratings and scores, and customize technical description to comply to a specific industry standard. You can also support more tailored workflows for individual development teams. In summary, the integration offers three key benefits for software organizations from a security standpoint:

By using their existing Coverity deployment infrastructure, companies can establish an independent workflow that uses the established process for triaging defects.

Both engineering and IT security teams can pinpoint with greater granularity the vulnerabilities that affect individual applications, and establish an action plan.

The solution can be scaled to deploy on any number of servers and easily integrated with continuous integration (CI) and issue-tracking tools.

A sample customization. The interface links the identified vulnerability to the National Vulnerability Database (NVD) and displays relevant triage information, such as the CVSS score, rating, and so on.